Cryptocurrency Mining Hack That Compromised Thousands of Sites ‘Could Have Been a Catastrophe’

UK and US government sites were affected.

Over the weekend, hackers injected thousands of websites—including UK and US government sites—with code that hijacked visitors’ computers to mine cryptocurrency.

The attack, noticed on Sunday by security researcher Scott Helme, was pulled off by compromising a single plugin that was used by all of the affected sites: Browsealoud, a reputable suite of accessibility and translation tools. According to Helme, the plugin was edited by attackers to embed a script that uses a site visitor’s computer to do the complex math that generates new digital coins (in this case, Monero). This process, known as “mining,” can slow down the victim’s computer.

The attack loaded malicious Javascript onto visitors’ computers. The hackers behind the attack chose to mine cryptocurrency, but they had the power to do almost whatever they wanted.

"It could have been a catastrophe, it really could have—that's not just scaremongering," Helme told Motherboard in a phone call. "We were exceptionally lucky this was so mild and so quickly found."

They could have used their access to install a keylogger onto the victim’s computers, for example, or infected them with more invasive malware. “The only limitation of what happened here was the attacker's imagination,” Helme added.

The cryptocurrency mining script was injected into as many as 4,275 websites, if we assume every site using Browsealoud was compromised (PublicWWW, a site that searches the source code of sites on the web, has a list). The UK’s information commissioner (ICO), UScourts.gov, numerous sites associated with the UK’s National Health Services, and many more.

“The ICO’s website is up and running again following a problem with the Browsealoud feature on Sunday,” a spokesperson for the UK Information Commissioner’s Office told Motherboard in an email. “The website was taken down as a precautionary measure whilst we investigated the incident, which did not involve the access or loss of any personal data. The Browsealoud service has been temporarily removed from the website whilst further work is undertaken.”

The UK National Cyber Security Center, a wing of the GCHQ, released a statement on Sunday saying that it is investigating the matter.

Surreptitious cryptocurrency mining is an increasingly popular method for shady sites or criminals to raise money. Last year, hackers compromised an Argentine internet service provider to embed a mining script on the login page for Starbucks Wi-Fi. The hijacking of thousands of sites at once—and government sites, at that—is a serious escalation in the scope and scale of this kind of cryptocurrency mining.

The hackers used the popular browser mining service Coinhive, which can be used legitimately but has also become a favourite among criminals as well. While Coinhive initially stated that the hackers had merely copied its code, on Tuesday Coinhive admitted that their service was used in the hack. "Sorry for the misinformation," spokespeople added in an email to Motherboard. In addition, Coinhive told Motherboard reporter Joseph Cox in a follow-up interview, the hackers made a grand total of $24 worth of Monero.

“Texthelp has in place continuous automated security tests for Browsealoud—these tests detected the modified file and as a result the product was taken offline," Martin McKay, CTO of Texthelp (the makers of Browsealoud), said in a company blog post. "This removed Browsealoud from all our customer sites immediately, addressing the security risk without our customers having to take any action.”

Over the phone, Helme said website administrators should be careful about the third-party content they load on their pages. There are already tools to control what content plugins can load on sites, such as Content Security Policy and Subresource Integrity. "With those combined you have a very robust defense against exactly what this is attacking," Helme said.

Last year, security researchers at Symantec foretold a looming “arms race” between malicious hackers mining cryptocurrency and the people trying to stop them; today, it seems like that race has really begun.

UPDATE: The original version of this article stated that the cryptocurrency mining script came from Coinhive, but Coinhive spokespeople stated that the script was merely "copied" from their code, and the hackers used their own servers to communicate with the Monero network. Later, Coinhive confirmed that their service was in fact used in the hack.